2 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEEThe contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards DevelopmentIEEE presentation release statementsThis document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEEThe contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual <http://standards.ieee.org/guides/opman/sect6.html#6.3> and in Understanding Patent Issues During IEEE Standards Developmentsec

8 Technical Challenges in HandoversMotivationEfficient Network Discovery and SelectionInter-Network Neighbor Advertisements reduce power consumption in scanning. The module will only turn on if coverage is availableLow Latency HandoversRequires inter-RAT interface. Speeds up handoff procedure (passing security keys, resource reservation).Service Provider’s Control in Target Network SelectionEnables service providers to enforce handoff policies and decisions. Requires inter-RAT measurement reportingService ContinuityRequires a L3 anchor and L3 mobility management signaling. An inter-RAT interface between access gateways can be used for this purpose.Target Preparation is the Key aspect of Optimized Handoverssec

12 Network Access Security StepsStep 1: Network access authenticationStep 2: Secure associationStep 3: Access control and cipheringEntities involved:MN: Mobile NodePoA: Point of Attachment (e.g., Access Point)AS: Authentication Server (e.g., AAA server)MN changes its PoA due to handoverMNPoAASStep 1: Network Access AuthenticationStep 2: Secure AssociationStep 3: Access Control and CipheringNetwork access security is all about how to bind the three steps together to provide appropriate security properties for network access with the use of security associations (SAs)sec

13 Security Associations (SAs)SAmp: An SA between MN and PoASAma: An SA between MN and ASSApa : An SA between PoA and ASSAma and SApa are pre-established based on long-term credentialsSAmp is dynamically established with creation of a Session KeyASSAmaSApaMNPoASAmpsec

14 Step 1 - Network Access AuthenticationMN*PoA*AS**) Note: MN, PoA and AS are EAP peer, authenticator and server, respectively, and represent one deployment model.EAP-RequestEAP-ResponseAAA{EAP-Response}EAP-RequestAAA{EAP-Request}::EAP-SuccessAAA{EAP-Success,MSK}MN and PoA authenticate each other with the help of AS and establish SAmp based on SAma and SApaEAP (Extensible Authentication Protocol) exports two keys:MSK (Master Session Key) - distributed from AS to PoAEMSK (Extended Master Session Key) – used for other purposeEAP is transported at link-layer as well as higher layersLink-layer EAP transport in IEEE 802: 802.1X, PKMv2Higher-layer EAP transport: PANA (Protocol for carrying Authentication for Network Access), IKEv2 (Internet Key Exchange version 2), RADIUS/Diametersec

15 Step 2 – Secure AssociationA link-layer specific procedure to attach to a PoA in a secure mannerStep 2-1: Provide and verify proof of each other’s possession of the session key corresponding to SAmpStep 2-2: Create access control filters and ciphering keysThe ciphering keys are used in Access Control and Ciphering (Step 3)sec

16 Step 3 – Access Control and CipheringAccess control enforces link-layer data frames to be exchanged between MN and PoA only after a successful run of Network Access Authentication and Secure AssociationLink-layer data frames are cryptographically protected with the use of ciphering keys depending on underlying link-layer technologiessec

17 Security Signaling LatencyApproximately 90% of the latency originates from the EAP signaling during network access authentication (full authentication)EAP authentication takes on average 100s of ms, while the layer 2 key management (4-way handshake (HS) in and 3-way handshake in ) takes on average less than 10ms.802.11802.16MN: Mobile NodeAP: Access PointBS: Base StationAAA: AAA serversec

24 IEEE P802.1af and 802.1AEIEEE P802.1af – a new revision of 802.1X for port access control, it providesNetwork access authentication, secure association and access control for LAN/MANNetwork discoveryAllows a session key that was established between a Host and a Network Access Point to be cached and reused when reconnecting back to the Network Access Point after moving to another Network Access PointIEEE 802.1AE - MAC SecurityProvides ciphering for LAN/MANsec

26 Dual and Single Radio HandoversDual radio handover: The MN has two radios, and both radios are transmitting at the same time during handovers. Target preparation is done via the target radio.Allows a ‘make-before-break’ handover and as such service disruption can be avoided.Single radio handover: The MN has two radios, but only one radio is transmitting at a time due to co-existence, interference, battery issues. Target preparation is done using the source radio.Limited to ‘break-before-make’ handover and as such service disruption cannot be avoided without additional optimizationsec

27 Dual-radio Handover FlowMN connected with Radio 1 to AN1, and an application session is activeMN moves, Radio 2 OnMN decides to perform HO to AN2MN authenticates with AN2 using Radio 2Subsequent HO procedures followIncluding IP mobility signaling and resource reservation and so onApplication session continuity is maintained on AN2Radio 1 off or idleConceptual Flowsec

29 What is the problem?Security-related signaling can increase the latency significantly in single-radio handover efforts and in many cases service continuity can not be metHandover techniques that assume concurrent radio usage cannot be usedEven for dual-radio devices it might make sense to reduce the security-related signaling, as it decreases the time that both radios need to be active and thus can increase battery lifeIn addition, handovers between networks within the same AAA domains or different AAA domains pose different challengessec

30 Potential Approach for Intra-AAA-domain Handover – Key Hierarchy-based Transition (1/3)Establish a key hierarchy through full authentication upon entry into the AAA domainThe key hierarchy may span multiple link-layer technologiesNetwork access authentication is based on exchanging proof of possession of the root key between MN and the root key holder through the PoARoot KeySession Key for PoA_1Session Key for PoA_2…Session Key for PoA_Nsec

33 Potential Approach for Inter-AAA-Domain Handover – Authentication-based TransitionSince networks are in different AAA domains, in general full authentication can not be avoidedThere is no reason for the new domain to “trust” keys from the old domain, and no reason for mobile device to “trust” the new domain with keys it used with its old domainRoaming agreements (SLAs) may exist between the two networks, but home operator might still require the user to authenticate with the home network (AAA) because of security or policy reasonsA pre-authentication solution is needed that works across multiple AAA domainsEAP serverEAP (RFC 3748)signalingAAA domain XAAA domain YSecure Associationsec

34 Proposed DirectionProactive authentication is the promising approach to reduce authentication and key establishment signaling latencyNeeded for secure service continuity across different link-layer technologies, AAA domainsUse existing media-specific Secure Association mechanismsProactive authentication can be based on proactive re-authentication, and pre-authenticationProactive authentication requires an EAP transportThe solution that works independent of link-layer technologiesOur main scope is IEEE 802 technologies, but solution could be applied to handovers to other technologiessec

35 How 802.21 can Solve the Problem?Define proactive authentication commands that can start authentication and key establishment before the handover commitment / completionDefine media independent transport to carry proactive authentication command on top of the MIH protocolThe transport must work across multiple LANsThe transport needs to carry not only EAP message but also additional information for binding between proactive authentication entities and link-layer entitiesDefine triggers for proactive authenticationDefine information elements relating to proactive authenticationDefine key install commandssec

About project

Feedback

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.